SUMMARY

• An Information Security Professional with experience of over 9+ years in Application Security, Security Architecture & Design, Cloud Security (AWS & Azure), focusing on engineering AWS cloud solutions as a voice for security. API Security, Penetration Testing, Network Security, Secure Coding, Mobile Security, Cryptography, PKI, Security Information Event Management (SIEM), SOC, Security Controls and Validation, IT Risk Assessments, Regulatory Compliance and Secure Software Development Life Cycle (secureSDLC)
• Penetration testing based on OWASP Top 10 and SANS25.
• Analyze the results of penetrations tests, design reviews, source code reviews and other security tests. Decide on what to remediate and what to risk accept based on security requirements.
• Highly analytical computer security analyst with success both defending and attacking large - scale enterprise networks.
• Cloud security experience using AWS Landing Zone, VPC, WAF, S3, EC2, GuardDuty, Trusted Advisor, and Direct Connect.
• Strong knowledge of Infrastructure-as-Code and managing a CI/CD pipeline, and protecting applications, websites, cloud networks, and infrastructure.
• Experience using a wide variety of security tools to include Kali-Linux, Metasploit, HP WebInspect, HP Fortify, Burp Suite Pro, Wireshark, L0phtcrack, Snort, Nmap, Nmap-NSE, Cain and Abel, Nitko, Dirbuster, IBM App Scan, OWASP ZAProxy, Nessus, Open Vas, W3AF, BeEF, Etthercap, Maltego, Wifi-Security, SOAP UI, Havij, Recon-ng, Aircrack-ng suite.
• Involved in implementing and validating the security principles of minimum attack surface area, least privilege, secure defaults, avoiding security by obscurity, keep security simple, Fixing security issues correctly.
• Strong knowledge in Manual and Automated Security testing for Web Applications.
• Working knowledge of OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
• Analyze the results of penetrations tests, design reviews, source code reviews and other security tests. Decide on what to remediate and what to risk accept based on security requirements.
• SOX Compliance Audit experience on controls like User access management, Change Management, Incident Management.
• Good Experience in exploiting the recognized vulnerabilities.
• Experience in Threat Modeling during Requirement gathering and Design phases.
• Experience with Security Risk Management with TCP-based networking.
• Experience with TCP/IP, Firewalls, LAN/WAN.
• Experience in implementing Security Incident and Event Management System (SIEM) using HP ArcSight, Splunk ES, Exabeam UBA, UEBA.
• Quick Learner, Committed team player with interpersonal skills and enjoy challenging environment with scope to improve self and contribute to the cause of the organization.
• Excellent problem-solving and leadership abilities.
• Experience in Web UI Development implementing web development tools like HTML 4.0/5, XHTML, DHTML, CSS/CSS3, JavaScript, jQuery, AJAX, JSON and XML.
• Knowledgeable about Document Object Model (DOM) and DOM Functions along with experience in Object Oriented Programming Concepts, Object Oriented JavaScript and Implementation.

TECHNICAL SKILLS

Security Tools: HCL AppScan Enterprise (ASE), Standard & Source editions, Microfocus WebInspect, Netsparker,QualysGuard, RSAArcher, FireEye Retina, Onapsis, BurpSuite Pro, Acunetix, Fortify SCA, WAS, SQLMAP. CHEKMARX. SecureAssist, AppDetect, AppRador, Oracle Identity Manager, Oracle Access Manager,JHijack, Metasploit Pro, ZED attack proxy, Firemon, Squid Proxy,SQLMAP, Wireshark, WebScarab, Paros, BlueCoat Proxy, Nmap, BMC BladeLogic, Nessus, Rapid7 Nexpose, Tripwire, Symantec Vontu, DBProtect, ArcSight SIEM, e-DMZ Password Auto Repository (PAR), Varonis, Amazon Web Services (AWS) Cloud security.

Cloud Services (AWS): VPC, EC2, AMI’s, EBS, EFS, RDS, S3, SNS, ELB, CloudWatch, CloudTrail, Auto Scaling, Route 53, Lambda, IAM, CloudFormation, Elastic Beanstalk, SQS, SWF, Redshift, Polly, AuroraDB, DynamoDB, Kinesis, Glacier, AWS CodeBuild, CodeDeploy, CodePipeline, CodePipeline & CodeStar, AWS OpsWorks, AWS Auto Scaling, AWS API Gateway

Programming Languages: Java, C# .NET, C, C++

Identity & Data Protection Tools: SafeNet KeySecure, ProtectDB, ProtectFile, RSA Single Sign-On (SSO), Two-Factor (2F) authentication, SafeNet eToken 5110.

Scripting Languages: Python, SonarQube, Basic shell Scripting, Perl

Web Technologies: HTML 4.0/5, XHTML, DHTML, CSS2/CSS3, JAVASCRIPT, JQUERY, AJAX, JSON and XML

Web Services: RESTFul/SOAP, SOA, UDDI, WSDL

Operating System: Linux/Unix (Red Hat Enterprise Linux, Debian, Ubuntu, Fedora, Kali Linux), Windows.

Databases: MySQL, Oracle, Sybase, MongoDB

Network Enumeration: Maltego, Google Hacking, DNS, SMB, LDAP.

Port/Vulnerability Scanning: Nmap/Nmap Scripting Engine (NSE), Netcat, Nessus

Cloud Security: AWS Landing Zone, AWS Guard Duty, VPC, EC2 & S3 bucket security, MS Azure (Iaas, PaaS, SaaS)

Sniffing/Man-in-the-Middle: Wireshark, Ettercap, Cain

Web Application Vulnerability Scanning: , Nessus, OpenVas, Vega, Acunetix, HP Web inspect, IBMAppScan,Qualys guard.

Server/Client-Side Exploitation: Metasploit, Social Engineering Toolkit (SET).

Password Cracking: Hydra, Medusa,Rainbow Crack, 0phcrack, John the Ripper, Pyrit

Web Application: Manual SQL Injection, Manual Cross Site Scritping(XSS), Cross site request forgery(CSRF), SQLmap

Debuggers: Ollydbg, WinDBG.

Wireless: Aircrack-NG Suite and Kismet

PROFESSIONAL EXPERIENCE

Lead Security Engineer

Confidential, Carlsbad, CA

Responsibilities:

• Conducted Vulnerability Assessment (DAST and SAST) of Web and Mobile (iOS and Android Applications, including third party applications. The tools HCL AppScan, ZAProxy, BurpSuite Pro, SecureAssist, Microfocus Fortify, WebInspect, Checkmarx, Qradar.
• Conducted IT security risk assessments including, threat analysis and threat modeling (STRIDE, DREAD).
• Working on container orchestration tool Kubernetes for Customizability, Scalability, and High availability of Continuous integration and deployment (CI/CD) using Git, Jenkins, Maven, Gradle, Ant, SonarQube, Coverity, Flawfinder, Semgrep, Docker, Nexus, and Tomcat Server.
• Built, configured and deployed infrastructure to the cloud using Terraform. Utilized Aqua and Twistlock for verifying Container security.
• Deployed RedLock (Prisma Public Cloud) to ensure firm’s compliance to various security standards.
• Integrated Prisma Cloud Compute Native Security Platform into CI/CD pipelines to continuously scan and monitor for security anomalies of host, container, and serverless functions.
• Implemented Single Sign-On (SSO), MFA, and user provisioning for enterprise applications using Okta, SAML, OAuth2.0, OpenID Connect (OIDC) flows.
• Created and maintained fully automated CI/CD pipelines for code deployment using Octopus Deploy and PowerShell.
• Automated the security scanning process as part of DevSecOps efforts using Jenkins, Maven, Gradle to support CI/CD inititatves.
• Worked extensively IBM AppScan, Netsparker, BurpSuite, Whitehat Sentinel, HP WebInspect, HP Fortify, Checkmarx and eliminated false positives.with software development teams to review the source code, triage the security vulnerabilities.
• Building/Maintaining Docker container clusters managed by Kubernetes Linux, Bash, GIT, Docker, on GCP (GoogleCloud Platform) Utilized Kubernetes and Docker for the runtime environment of the CI/CD system to build, test deploy.
• Configured with SaaS, IaaS, PaaS applications in configuring and deploying to the cloud platform.
• Good configuration Knowledge with Fortify, Checkmarx, AppScan for Web and Mobile Applications and remediation of issues.
• PerformedWebApplicationSecurity, Penetration Testing in accordance with OWASP standards using manual techniques and also automated tools.
• Participated in the development of IT security risk assessments for enterprise applications. The NIST framework has been utilized for IT risk assessments. This included leading the data discovery meetings, identification of existing controls and validates them against the expected controls. The control gaps or non-compliance to security policies were presented to the stake holders for remediation.
• Interacted with third party vendors in conducting security assessments and security compliance audits (Type 1 and Type II).
• Responsible for performingapplicationpenetration testing onweb, thick client, and other types of applications to identify significant vulnerabilities that threaten the confidentiality, integrity, and availability of customer systems.
• Conducted PCI required Penetration Test of the eCommerce System which resulted in findings requiring remediation and furthered the PCI compliance effort for the system.
• Proficient in understanding application-level vulnerabilities like XSS, SQL Injection, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Conducted networkpenetrationtests, ethical hacking and implemented vulnerability assessments.
• Working knowledge with General Data protection Regulation (GDPR) assessment to simplify compliance effort.
• Created and implemented Data Loss Prevention policies and rules to ensure client data confidentiality from General Data Protection Regulation (GDPR) and PCI, PII etc.
• Gained vast knowledge of regulatory compliance such as PCI-DSS, FFIEC, OFCC, HIPPA, SOX, and GLBA.
• Engineering and implementation of Amazon Web Services (AWS) Security Groups
• Review of AWS Architecture Diagrams and Request form.
• Assist with leading the development and implementation of the cloud security strategy (i.e. SaaS, IaaS, and PaaS) by partnering closely with stakeholders.
• Design, implement, and monitor security measures to protect sites, cloud networks, and information privacy.
• Provide oversight of application packaging to ensure automation is being utilized for both the application and infrastructure builds throughout the development, test, and production environments. This includes the automation of server builds for VMs and maintenance of these builds utilizing chef scripting as deemed appropriate.
• Partner with the application security team, demonstrating ability to review source code and secure applications.
• Identify, define and implement system security requirements for cloud applications.
• Focus on communications and networking needs between Cloud and on-prem Data Centers, and Cloud and Internet.
• Use JSON polices to create Identity-based polices, resource-based policies and Permission Boundaries within the AWS environment.
• Manage a CI/CD (LAMBDA) methodology for server-based technologies within AWS.
• Developed security controls for API proxies using Apigee and enabled security for backend web services (RESTful, SOAP, Microservices).
• Implemented AWS Landing Zone and applied security baselines for multi-account access across the enterprise in the cloud environment.
• Participated in MS Azure migration and developed security controls for IaaS, PaaS, SaaS based application in the cloud.
• Configured AWS VPC, Simple Storage Service (S3) to securely store the organization’s critical file systems. Implemented Access Control Lists (ACLs) and Bucket Policies for controlling access to the data.
• Monitored AWS accounts and workloads using AWS GuardDuty to detect malicious activity and unauthorized behavior.
• Performed security incident review to detect security anomalies using Splunk Enterprise Security. In addition, developed preventative controls and Incident Response (IR) rules for “cyber kill chain” attack models.
• Conducted application penetration testing of 85+ business applications.
• Implemented Secure Software Development Life Cycle (S-SDLC) processes; developed secure coding practices for web, mobile applications, including database and middleware systems.
• Triaged security vulnerabilities to eliminate false positives and worked with the developers for remediation.
• Work experience with HTTP, HTTPS, network layer protocols, WS-Federation and application layer protocols.
• Implementation experience on patching windows servers and workstations using Solarwinds Patch Manager Software.
• Reviewed Azure network security architecture and implemented security controls. Specifically, Azure virtual networks, including on-premise connectivity, traffic filtering, secure communication, point-to-site VPN etc.,
• Implemented Network Security Groups (NSG) to control network traffic to various Azure network resources. Created NSG rules (inbound and outbound) and prioritized the rules based on the requirements. Associated NSGs to VMs, NICs, and subnets based on the deployment model.
• Validated database security for SQL servers deployed in Azure Cloud environment. Implemented Integrated Windows authentication supported by Azure Active Directory.
• Developed security controls for implementing Azure storage security. The RBAC with Azure AD has been implemented for securing the storage account. The data transmission between applications and Azure has been secured by client-side encryption, HTTPS, SMB3.0.
• Azure disk encryption has been implemented for encrypting OS and data disks.
• Participated in the implementation of Splunk platform to automate security operations as part of Security Orchestration, Automation and Response (SOAR) project.
• Performed threat hunting, Incident Response (IR) using Carbon Black Endpoint Detection and Response (EDR). Developed correlation rules and conducted incident analysis using Splunk ES and Exabeam UBA, UEBA.
• Acquainted with various approaches to Grey & Black box security testing.
• Hands-on with database security / Vulnerability scanner using Imperva Scuba.
• Developed security policies and standards and made sure the business applications are in compliance with the standards.
• Developed reports to document security breaches and the extent of the damage caused by the breaches and responsible for the tracking and assignment of tickets to Security Operations Team
• Implemented OAuth2.0, SAML and Single Sign-on (SSO) for AzureAD& Mobile applications for corporate applications Working knowledge of OSSTMM, OWASP Top 10 and SANS Top 25 software guidelines, Federal Financial Institutions Examination Council's (FFIEC) regulations, including Payment Card Industry (PCI-DSS), HIPAA and Sarbanes-Oxley Section404 (SOX).
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality.
• Proficient in understanding application level vulnerabilities like XSS, SQL Injection, ClickJacking, CSRF, authentication bypass, cryptographic attacks, authentication flaws etc.
• Conducted security assessment of PKI Enabled Applications.
• Performed pen testing of both internal and external networks. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store customer confidential information.
• Designed and review the windows architecture and identify security gaps within the architecture environments.
• Skilled using Burp Suite Pro, HP Web Inspect, IBM AppScan Standard, Source and Enterprise, NMAP,, Nessus, SQLMap, RSAArcher, Dirbuster, Qualysguard, FireEye Retina for web application penetration tests and infrastructure testing. Performing onsite & remote security consulting including penetration testing, application testing, web application security assessment, onsite internet security assessment, social engineering, wireless assessment, and IDS/IPS hardware deployment.
• Capturing and analyzing network traffic at all layers of the OSI model using Wireshark. Performed malware reverse engineering using IDA Pro.
• Monitor the Security of Critical System (e.g. e-mail servers, database servers, Web Servers, Application Servers, etc.).
• Performed pen testing of both internal and external networks. The pen testing scope included O/S AIX, SQL, Oracle Database.
• Performed the configuration of security solutions like RSA two factor authentication, Single Sign on (SSO), Symantec DLP and log aggregation and analysis using Splunk Enterprise Security.
• Change Management to highly sensitive Computer Security Controls to ensure appropriate system administrative actions, investigate and report on noted irregularities.
• Conduct network Vulnerability Assessments using tools to evaluate attack vectors, Identify System Vulnerabilities and develop remediation plans including, security policies, standards and procedures.

Sr. Security Engineer

Confidential, Peoria, Illinois

Responsibilities:

• Conducted Vulnerability Assessment for various applications.
• Managed security assessments to ensure compliance to firm’s security standards (i.e., OWASP Top 10, SANS25). Specifically, security testing has been performed to identify XML External Entity (XXE), Cross-Site Scripting and SQL Injection related attacks within the code.
• Conducted security assessment of Cryptography applications including the apps that use Hardware Security Model (HSM).
• Strong understanding of IP networking concepts and TCP/IP protocols
• Working knowledge with Windows Servers administration and Windows troubleshooting
• Performed the penetration testing of mobile (Android and iOS) applications, specifically, APK reverse engineering, traffic analysis and manipulation, dynamic runtime analysis was performed.
• Implemented HP ArcSight ESM including, correlation rules, data-monitors, reports, event annotation stages, case customization, active lists, and pattern discovery.
• Performed pen testing of both internal and external networks. The pen testing scope included O/S (Windows and Linux) and external facing web apps and database servers that store customer confidential information.
• Participated in Web Application Security Testing including the areas covering Mobile, Network, security, WIFI.
• Conducted pen testing for the Web Services (SOA) used by various external vendors .
• Skilled using Burp Suite, Checkmarx, HP Fortify, WebInspec,SecureAssist, WAS, NMAP, Havij, DirBuster for web application penetration tests.
• Generated and presented reports on Security Vulnerabilities to both internal and external customers.
• Security assessment of online applications to identify the vulnerabilities in different categories like Input anddata Validation, Authentication, Authorization, Auditing & logging.
• Vulnerability Assessment of various web applications used in the organization using Burp Suite,and Web Scarab, HP Web Inspect.
• Experience with Identity and Access Management (IAM) and development of user roles and policies for user access management.
• Analyzed correlation rules developed for Security Incident and Event Management (SIEM) system. Reviewed the solution implemented for “log forwarding” from various network devices to ArcSight central logging for alerting and security monitoring.
• Training the development team on the most common vulnerabilities and common code review issues and explaining the remediation.
• Follow up and ensure the closure of the raised vulnerabilities by revalidating and ensuring 100% Closure.
• Update with the new hackings and latest vulnerabilities to ensure no such loopholes are present in the existing System

Security Engineer

Confidential, Seattle, WA

Responsibilities:

• Extensive Interaction with Onsite Coordinator in understanding the business issues, requirements, doing exhaustive analysis and providing end-to-end solutions.
• Conducting Web Application Vulnerability Assessment & Threat Modeling, Gap Analysis, secure code review on the applications.
• Conducted security assessments of firewalls,routers, VPNs,Switches,BlueCoat Proxy, IDS/IPS and verified its compliance to internal and external security standards.
• Experience with ISO 27001/27002 Certification for ISMS, Sarbanes Oxley (SOX) Compliance
• Doing multiple level of testing before production to ensure smooth deployment cycle.
• Creation of Generic Scripts for testing and reusability.
• Application Security Review of all the impacted and non-impacted issues.
• Providing guidance to Development team for better understanding of Vulnerabilities.
• Assisting customer in understanding risk and threat level associated with vulnerability so that customer may or may not accept risk with respect to business criticality
• Identifying the critical, High, Medium, Low vulnerabilities in the applications based on OWASP Top 10 and SANS 25 and prioritizing them based on the criticality for remediation.
• Assisting in review of solution architectures from security point of view which helps avoiding security related issues/threats at the early stage of project
• Ensuring compliance with legal and regulatory requirements.

Confidential

Software Developer (Java/J2EE)

Responsibilities:

• Designed and developed a suite of applications used by the internal security department, including BPlanner, OATS.
• Design and implementation of SOAP, RESTful Web services.
• Developed application presentation layer, which is based on Spring MVC framework involving JSP, Servlets and HTML, CSS
• Developed this web application to store all system information in a central location. This was developed using Spring MVC, jQuery, JSP, Servlet, Oracle 10g, HTML and CSS
• Developed Servlets and Utilized JQueryto create a fast and efficient chat server.
• Implemented the Scrum Agile methodology for iterative development of the application.
• Developed server side business components using Java Servlets, JSPs, and Enterprise Java Beans (EJBs)
• Involved in system design, enterprise application development using object-oriented analysis in Java/JEE6.
• Used Spring Framework for Dependency injection and integrated with the Hibernate framework for interacting with the Oracle database.
• Automated code deployment to production environment by creating tasks using ANT, Maven deployment tools.
• Developed stored procedures, views and triggers using Oracle PL/SQL.
• Analyzed performance issues in the application, related system configuration and developed solutions for improvement.
• Involved in WebLogic and Tomcat application server installation and configuration in production, development and QA environments.
• Conducted training sessions to the rest of the development team on advanced technologies, code reviews and discussion sessions to ensure that coding standards are followed.